The present invention relates to device ownership keys, and to the creation and management of device ownership keys in Trusted Platform Modules.
A Trusted Platform Module (TPM) is a special purpose digital microprocessor-based module which offers facilities for the secure generation of cryptographic keys in the nonvolatile memory of the TPM, and other capabilities such as remote attestation and sealed storage. These facilities may be used, for example, to authenticate computing systems. TPMs are specified by the Trusted Computing Group (http://trustedcomputinggroup.org); the specification at the time of this application is Version 1.2 Revision 103, published Jul. 9, 2007, and incorporated herein by reference. TPMs are produced by companies such as Atmel, Broadcom, Infineon, AMT, and ST Microelectonics, among others.
Trusted Platform Modules (TPMs) require the creation and management of an “owner” key in order to provide these and other security functions. In general terms, the owner key forms the root of a cryptographic key hierarchy, but it is keys lower in this hierarchy that are typically used for day to day activities. Hence, it is entirely possible that for some use cases, an owner key, once used to create the key hierarchy that lays beneath it, may be set aside and not used for further operations.
In currently shipping laptop computers and other consumer devices containing TPMs, the purchaser of the device is typically expected to “take ownership”, generating an “owner key” in the process, and to provide for the secure management and use of that key. However, this is a complex undertaking that requires significant security expertise and planning to perform correctly, and there currently are very few convenient tools available for this purpose. The net effect is that many TPMs exist in consumer devices today, but, owing to the complexities involved, few are actually being used.
In the case of an embedded device such as network controller or access node, it is not strictly necessary that the customer purchasing the device be aware of the TPM and concepts such as TPM ownership in order to reap many of the advantages it provides. That is, ownership operations can be pre-programmed at some point (e.g. during manufacturing), and the TPM can be entirely operated by the system software/firmware on the device, with no customer interaction. This model also extends quite readily to centralized management of laptop and desktop computers containing TPMs.
If in such cases the owner key were to reside on the device, there is a risk that device compromise could result in loss of legitimate TPM ownership, and this could, in turn, lead to loss of control of the device. This is potentially very serious. However, since the owner key is not typically required for day to day operations, this key may be eliminated from the device once the underlying key hierarchy has been generated, so long as it is possible to restore the owner key in those rare cases where a very advanced customer might want to reset the TPM, and derive their own owner key hierarchy.
Taking such an approach entails the following requirements:
Each device should have a unique owner key; that is, the probability of any two devices having the same owner key should be very close to zero. Owner keys should be unpredictable.
Guessing the owner key should be impractical, i.e. the probability of guessing an owner key within the useful lifetime of the device, say 20 years, should be very close to zero.
The device manufacturer should be able to derive the owner key for any given device, should this ever become necessary.
It should be highly unlikely for the device manufacturer to “lose” the owner key for any device, although the net cost of such a loss would be the cost of replacement of the affected device.
It should not be possible for an adversary to obtain a single data value that, once compromised, would permit derivation of arbitrary owner storage keys; put differently, owner keys should be derived based on multiple factors, raising the bar against a process compromise leading to exposure of all owner keys.
It should be possible to provide advanced customers with owner keys for their own devices, so that they can reset the devices and derive their own (secret) owner keys if desired.
What is needed is a process for creating and managing TPM device ownership keys which addresses these requirements.